Description
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can send a specially crafted POST request containing an excessively long scope parameter to Keycloak’s OpenID Connect token endpoint. The key server consumes excessive CPU and memory while parsing the parameter, causing prolonged processing times and eventually rendering the service unresponsive. This denial of service can impact all clients relying on the token endpoint for authentication.

Affected Systems

The vulnerability affects Red Hat builds of Keycloak 26.2, including the 26.2.15 update, and Red Hat builds of Keycloak 26.4, including the 26.4.11 update, all running on Red Hat Enterprise Linux 9.

Risk and Exploitability

The published CVSS score of 7.5 indicates a high severity risk level, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely from any external network that can reach the exposed token endpoint, without needing authentication. No official workaround exists, making the only effective mitigation the application of vendor patches.

Generated by OpenCVE AI on April 2, 2026 at 23:18 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat Keycloak updates (RHSA‑2026:6475 through RHSA‑2026:6478).
  • If upgrading is not immediately possible, restrict access to the Keycloak OIDC token endpoint to trusted networks or enforce strict request‑size limits as a temporary measure.

Generated by OpenCVE AI on April 2, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h4wv-g838-66g3 Keycloak: Application-Level DoS via Scope Processing
History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*
Vendors & Products Redhat build Of Keycloak

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
References

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged processing times, ultimately resulting in a Denial of Service (DoS) for the Keycloak server.
Title Keycloak: keycloak: denial of service via excessive processing of openid connect scope parameters
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1050
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-03T17:23:00.421Z

Reserved: 2026-03-23T08:41:40.650Z

Link: CVE-2026-4634

cve-icon Vulnrichment

Updated: 2026-04-03T17:22:55.273Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T13:16:27.027

Modified: 2026-04-16T20:50:10.327

Link: CVE-2026-4634

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-4634 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:47Z

Weaknesses